Password security is one of the hottest security issues and one of the most difficult to manage, regardless if you are a Fortune 100 company or an independent consultant, such as myself. Password managers make it a lot easier to manage your side of password security, and if you are not using one, you should. I have used password managers for over ten years, including RoboForm (commercial license), KeePass (open source), ThinkPad Password Manager, and LastPass (commercial license). In my opinion, LastPass is far and above the best password manager/safe, as it is platform agnostic, runs in the cloud, has plugins for all major browsers, and runs on nearly every device. I can sit down at any Internet connected device in the world and access my password vault.
I migrated from RoboForm to LastPass a few years ago, after being frustrated with Siber Systems’, the makers of RoboForm, forced upgrade cycle. I have been happy and secure ever since. Their service is free, though they offer a premium and enterprise version of their product. The fine folks at LastPass have introduced a tool for their users that takes the utterly boring and dreadful task of auditing your password security and gamifies it. The process is simple: Click a button in your ‘vault’, answer a couple of questions, and the system does the rest. The following assumes that you are already using LastPass.
Login to your LastPass vault and click Security Check
This will take to you the next page:
Click START THE CHALLENGE
LastPass will evaluate all of the passwords in your vault:
This part is really neat: During the analysis, LastPass pulls all of your email addresses and asks you if you want them to check to see if any of them have been involved in any known security breaches. Click OK:
You will see this message if none of your email addresses have been identified in a breach:
You are taken to a page that shows you your score and your ranking against all other LastPass users who have taken the challenge:
So that is it! I love the fact that the whole audit process is simplified and fun at the same time.
My Score Analysis
On the surface, a score of 92.4% does not seem all that great. You will see that I have some weak passwords and some duplicate passwords. Here are some reasons that I, and you, may have a lower score:
- Some websites do not allow for highly complex passwords. For example, one of my sites has only a 4 digit number allowed as a password. Others have a maximum of 8 characters.
- Some of the sites are enterprise applications, like Oracle EBS, including quite a few development, testing and training environments that are accessible to only a small group of people.
- Some enterprise systems utilize the same password across multiple applications, such as with Active Directory and an integrated Single Sign-On system.
I have secured the passwords as best as I can. I will continue to test and re-test to make sure my passwords are secure.
Humans will always be the weakest link in the security chain. Even with methods such as two factor authentication, we humans will still be the cause of most breaches in information systems security. If you don’t use a password manager, get one. I recommend LastPass because it is free for most users. Here is an interesting list of the worst security breaches in this century, written in February 2012:
~ + ~
I am somewhat of a freak about information security (infosec) on a whole, mostly because my company deals with some of the most sensitive and potentially damaging data: human capital data. All of our data is stored on encrypted drives and servers, all transactions/interactions are performed over SSL encrypted communications, and no sensitive data is shared via insecure means, like email or USB/removable drives.